b"December 2006\nReport No. 07-001\n\n\nFDIC\xe2\x80\x99s Supervision of Financial\nInstitutions\xe2\x80\x99 OFAC Compliance Programs\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                             Report No. 07-001\n                                                                                                               December 2006\n\n                                           FDIC\xe2\x80\x99s Supervision of Financial Institutions\xe2\x80\x99\n                                           OFAC Compliance Programs\n                                           Results of Audit\n                                           The FDIC\xe2\x80\x99s supervisory approach to OFAC compliance includes examinations of\nBackground and Purpose                     controls established and implemented by FDIC-supervised financial institutions to\nof Audit                                   ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC\n                                           examiners generally followed interagency guidelines in assessing the appropriateness\nThe U.S. Department of the                 of implemented controls and whether those controls were commensurate with the\nTreasury\xe2\x80\x99s Office of Foreign Assets        financial institutions\xe2\x80\x99 specific product lines, customer base, nature of transactions, and\nControl (OFAC) is responsible for          identification of high-risk areas. In addition, the FDIC has taken important steps to\npromulgating, developing, and              address institutions\xe2\x80\x99 OFAC compliance, such as participating in developing and issuing\nadministering economic and trade           interagency guidance for examiners and banking organizations, including notifications\nsanctions such as trade embargoes,         on updates to OFAC\xe2\x80\x99s SDN list; conducting OFAC-related training and outreach\nblocked assets controls, and other         activities for examiners and the banking industry; issuing Bank Secrecy Act-related\ncommercial and financial restrictions      cease and desist orders that included OFAC-related provisions; and signing an\nunder the provisions of various laws.      interagency Memorandum of Understanding, which governs information-sharing\nIn general, OFAC regulations prohibit      between the Federal Banking Agencies and OFAC.\nfinancial institutions from engaging in\ntransactions with the governments of,      The FDIC, however, could enhance its supervisory approach to OFAC compliance by\nor individuals or entities associated      monitoring and tracking financial institution OFAC sanctions violations, compliance\nwith, foreign countries against which      program deficiencies, and OFAC-related enforcement actions. In addition, examiner\nfederal law imposes economic               work paper documentation and reports of examination could be improved with respect\nsanctions. Sanctions also can be used      to examination planning and contact with OFAC, completing core examination\nagainst dangerous groups and               procedures, and concluding on the adequacy of OFAC compliance programs and\nindividuals, such as international         interdiction systems used by financial institutions. These measures could assist the\nnarcotics traffickers, terrorists, and     FDIC and OFAC in addressing the risks associated with financial institution\nforeign terrorist organizations,           noncompliance with OFAC regulations.\nregardless of national affiliation.\n                                           We also identified a matter for congressional consideration regarding examination and\nAs part of its enforcement efforts,        enforcement authorities associated with institution compliance with OFAC regulations.\nOFAC publishes a list of individuals       Specifically, a more comprehensive statutory and regulatory framework exists for the\nand companies controlled by, or            examination and enforcement of Bank Secrecy Act (BSA) compliance and the\nacting for or on behalf of, targeted       establishment of BSA compliance programs than for OFAC compliance, although both\ncountries. The list also includes          BSA and OFAC requirements address national security and law enforcement concerns.\nindividuals and entities such as\nterrorists and narcotics traffickers\ndesignated under programs that are         Recommendations and Management Response\nnot country-specific. Collectively,\nsuch individuals and entities are called   The report makes four recommendations for DSC to enhance its supervisory approach\nSpecially Designated Nationals and         to OFAC compliance by monitoring and tracking financial institution OFAC sanctions\nBlocked Persons (SDN).                     violations, compliance program deficiencies, and OFAC-related enforcement actions;\n                                           and issuing additional guidance to examiners to ensure consistent and comprehensive\nThe objective of this audit was to         documentation of OFAC compliance to better assist the FDIC and subsequent\ndetermine whether the FDIC\xe2\x80\x99s               examination teams in ensuring financial institution compliance with OFAC laws and\nDivision of Supervision and                regulations. DSC management concurred with two of the recommendations and agreed\nConsumer Protection (DSC) provides         with the intent of the remaining two recommendations. Completed and planned actions\neffective supervision of compliance        are responsive to all recommendations.\nwith OFAC regulations by FDIC-\nsupervised institutions.\n\nTo view the full report, go to\nwww.fdicig.gov/2007reports.asp\n\x0c                            TABLE OF CONTENTS\n\nBACKGROUND                                                    2\n\nRESULTS OF AUDIT                                              3\n\nDSC\xe2\x80\x99S SUPERVISORY APPROACH TO OFAC COMPLIANCE                 4\n Evaluation of OFAC Compliance                                5\n Supervisory Monitoring                                       7\n Conclusion                                                   8\n Recommendation                                               8\n Corporation Comments and OIG Evaluation                      8\n\nDOCUMENTATION OF DSC\xe2\x80\x99S EXAMINATION COVERAGE OF                9\nFINANCIAL INSTITUTION OFAC COMPLIANCE\n Recommendations                                             11\n Corporation Comments and OIG Evaluation                     11\n\nMATTER FOR CONGRESSIONAL CONSIDERATION \xe2\x80\x93                     11\nAUTHORITIES FOR SUPERVISION OF OFAC COMPLIANCE\n Examination and Enforcement Authority for BSA Compliance    12\n Examination and Enforcement Authority for OFAC Compliance   12\n Conclusion                                                  14\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                15\n\nAPPENDIX II: REGULATORY AUTHORITY AND OVERSIGHT              20\nFOR OFAC AND BSA COMPLIANCE\n\nAPPENDIX III: CORPORATION COMMENTS                           21\n\nAPPENDIX IV: MANAGEMENT RESPONSE TO                          24\nRECOMMENDATIONS\n\x0cACRONYMS\nAML        Anti-Money Laundering\nBSA        Bank Secrecy Act\nC&D        Cease and Desist Order\nC.F.R.     Code of Federal Regulations\nDSC        Division of Supervision and Consumer Protection\nED         Examination Documentation\nFBA        Federal Banking Agency\nFDI        Federal Deposit Insurance\nFFIEC      Federal Financial Institutions Examination Council\nFIL        Financial Institution Letter\nFinCEN     Financial Crimes Enforcement Network\nFRB        Federal Reserve Board\nGAO        Government Accountability Office\nMOU        Memorandum of Understanding\nNCUA       National Credit Union Administration\nOCC        Office of the Comptroller of the Currency\nOFAC       Office of Foreign Assets Control\nOIG        Office of Inspector General\nOTS        Office of Thrift Supervision\nRFPA       Right to Financial Privacy Act\nSDN        Specially Designated Nationals and Blocked Persons\nTEOAF      Treasury Executive Office for Asset Forfeiture\nTFI        Office of Terrorism and Financial Intelligence\nU.S.C.     United States Code\nViSION     Virtual Supervisory Information on the Net\n\x0c    Federal Deposit Insurance Corporation                                                                 Office of Audits\n    3501 Fairfax Drive, Arlington, VA 22226                                                  Office of Inspector General\n\n\nDATE:                                         December 14, 2006\n\nMEMORANDUM TO:                                Sandra L. Thompson, Director\n                                              Division of Supervision and Consumer Protection\n\nFROM:                                         Russell A. Rau [Electronically produced version; original signed\n                                              by Russell A. Rau]\n                                              Assistant Inspector General for Audits\n\nSUBJECT:                                      FDIC\xe2\x80\x99s Supervision of Financial Institutions\xe2\x80\x99\n                                              OFAC Compliance Programs (Report No. 07-001)\n\n\nThis report presents the results of the subject FDIC Office of Inspector General (OIG) audit. The\naudit objective was to determine whether the FDIC\xe2\x80\x99s Division of Supervision and Consumer\nProtection (DSC) provides effective supervision of compliance with Office of Foreign Assets\nControl (OFAC) regulations by FDIC-supervised institutions. All U.S. persons and entities,\nincluding U.S. banks, holding companies, and non-bank subsidiaries, must comply with OFAC\nregulations.1\n\nTo address our audit objective, we (1) assessed the FDIC\xe2\x80\x99s statutory and regulatory authorities\nfor ensuring OFAC compliance by the institutions it supervises, (2) reviewed DSC\xe2\x80\x99s supervisory\nand examination processes for OFAC compliance, and (3) reviewed DSC\xe2\x80\x99s OFAC examination\ncoverage at 16 sampled financial institutions. Our observations on statutory and regulatory\nauthorities may apply equally to the other Federal Banking Agencies (FBA),2 which also\nexamine financial institutions for OFAC compliance. Appendix I of this report discusses our\nobjective, scope, and methodology in detail.\n\n\n\n\n1\n  All U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens,\nregardless of where they are located; all persons and entities within the United States; and all U.S.-incorporated\nentities and their foreign branches. Accordingly, all U.S. financial institutions; their branches and agencies;\ninternational banking facilities; and domestic and overseas branches, offices, and subsidiaries must comply with\nOFAC regulations, 31 Code of Federal Regulations (C.F.R.) Chapter V.\n2\n  FBAs include the FDIC, Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS),\nFederal Reserve Board (FRB), and National Credit Union Administration (NCUA), which collectively form the\nFederal Financial Institutions Examination Council (FFIEC).\n\x0cBACKGROUND\n\nWithin the U.S. Department of the Treasury (Treasury Department), the Office of Terrorism and\nFinancial Intelligence (TFI) marshals the department's intelligence and enforcement functions for\nthe purposes of safeguarding the nation\xe2\x80\x99s financial system against illicit use and combating\nterrorist facilitators, money launderers, drug kingpins, and various national security threats. TFI\nis composed of several offices, including OFAC, the Financial Crimes Enforcement Network\n(FinCEN), and the Treasury Executive Office for Asset Forfeiture (TEOAF).\n\nOFAC is responsible for developing, promulgating, and administering sanctions for the Secretary\nof the Treasury under various laws, including, but not limited to, the Trading With the Enemy\nAct and the International Emergency Economic Powers Act. In general, OFAC regulations\nprohibit financial institutions from engaging in transactions with the governments of, or\nindividuals or entities associated with, foreign countries against which federal law imposes trade\nor economic sanctions. Sanctions can be used against dangerous groups and individuals, such as\ninternational narcotics traffickers, terrorists, and foreign terrorist organizations, regardless of\nnational affiliation. Many of the sanctions are based on United Nations and other international\nmandates, are multilateral in scope, and involve close cooperation with allied governments. The\nU.S. Government has used economic sanctions as a tool against international terrorist\norganizations since 1995, marking a significant departure from the traditional use of sanctions\nagainst hostile countries or regimes. Following the terrorist attacks on September 11, 2001,\nExecutive Order 13224 entitled, Blocking Property and Prohibiting Transactions With Persons\nWho Commit, Threaten to Commit, or Support Terrorism, was signed, significantly expanding\nthe scope of U.S. sanctions against international terrorists and terrorist organizations.\n\nAs part of its enforcement efforts, OFAC publishes a list of individuals and companies controlled\nby, or acting for or on behalf of, targeted countries. The list also includes individuals and entities\nsuch as terrorists and narcotics traffickers designated under programs that are not country-\nspecific. Collectively, such individuals and entities are called Specially Designated Nationals\nand Blocked Persons (SDN).\n\nOFAC regulations require financial institutions to block or reject accounts and transactions3 that\ninvolve any persons, entities, or countries that are included on the SDN list. Specifically,\nfinancial institutions must block transactions that are:\n\n    \xe2\x80\xa2   by or on behalf of a blocked individual or entity,\n    \xe2\x80\xa2   to or through a blocked entity, or\n    \xe2\x80\xa2   in connection with a transaction in which a blocked individual or entity has an interest.\n\n\n3\n  Financial institutions should compare new accounts, which include deposits, loans, trusts, safe deposit boxes,\ninvestments, credit cards, and foreign office accounts, and existing customer accounts against OFAC\xe2\x80\x99s SDN list.\nBlocked accounts are those for which payments, transfers, withdrawals, or other dealings may not be made except as\nlicensed by OFAC or otherwise authorized by the Treasury Department. Transactions include automated clearing\nhouse transactions, funds transfers, letters of credit, non-customer transactions, and the sale of monetary\ninstruments. In some cases, the underlying transaction may be prohibited, but there is no blockable interest in the\ntransaction. In these cases, the financial institution should reject the transaction.\n\n                                                        2\n\x0cFurther, financial institutions must file (1) initial reports within 10 days for accounts and\ntransactions that are blocked and/or rejected and (2) annual comprehensive reports on all blocked\nproperty4 (held as of June 30) no later than September 30. An OFAC publication entitled,\nForeign Assets Control Regulations for the Financial Community, dated November 23, 2005,\nprovides guidance to financial institutions on monitoring financial transactions to ensure that\nSDNs, narcotics traffickers, and terrorists do not benefit from access to our nation\xe2\x80\x99s financial\nsystem.\n\nViolations of OFAC sanctions occur when a financial institution processes a transaction, with or\nfor an SDN, that should have been blocked or rejected.5 OFAC can impose civil money\npenalties for violations of established sanctions. In addition, Title 18 United States Code\n(U.S.C.) \xc2\xa71001 provides for criminal penalties associated with OFAC noncompliance.\n\nFDIC safety and soundness examinations of FDIC-supervised financial institutions include an\nassessment of financial institution compliance with Bank Secrecy Act (BSA)/Anti-Money\nLaundering (AML) requirements.6 As part of the BSA/AML examinations, the FDIC assesses\nfinancial institutions\xe2\x80\x99 OFAC compliance programs. Interagency guidance7 entitled, Bank\nSecrecy Act/Anti-Money Laundering Examination Manual,8 issued in June 2005 by the FFIEC\nprovides examination procedures related to BSA, AML, and OFAC examinations. OFAC\nassisted in the development of the manual sections that relate to OFAC reviews. Further, in\nJanuary 2006, OFAC published guidelines entitled, Economic Sanctions Enforcement\nProcedures for Banking Institutions,9 in the Federal Register that complement and expand upon\nexamination guidance for OFAC examinations.\n\n\nRESULTS OF AUDIT\n\nThe FDIC\xe2\x80\x99s supervisory approach to OFAC compliance includes examinations of controls\nestablished and implemented by FDIC-supervised financial institutions to ensure compliance\nwith OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed\ninteragency guidelines in assessing the appropriateness of controls implemented and whether\nthose controls were commensurate with the financial institutions\xe2\x80\x99 specific product lines,\ncustomer base, nature of transactions, and identification of high-risk areas. In addition, the FDIC\n\n\n4\n  Property is anything of value, such as money, checks, drafts, debts, obligations, notes, bills of sale, evidences of\ntitle, negotiable instruments, trade acceptances, contracts, and anything else real (tangible or intangible), or personal,\nand present, future, or contingent interests.\n5\n  OFAC has the authority, through a licensing process, to permit certain transactions that would otherwise be\nprohibited under OFAC regulations when OFAC determines that the transaction does not undermine the U.S. policy\nobjectives of the particular sanctions program, or is otherwise justified by U.S. national security or foreign policy\nobjectives. In addition, OFAC can promulgate general licenses that authorize categories of transactions, such as\nallowing reasonable service charges on blocked accounts, without the need for a case-by-case authorization from\nOFAC.\n6\n  The Bank Secrecy Act of 1970, Public Law 91-508.\n7\n  Interagency guidance was issued by members of the FFIEC, FinCEN, and OFAC in June 2005 and was updated in\nJuly 2006.\n8\n  On July 28, 2006, the FFIEC issued a revised BSA/AML Examination Manual. Revisions that relate to OFAC\ninclude additional guidance on domestic and cross-border, automated clearing-house transactions.\n9\n  Interim final rule 31 C.F.R. 501.\n\n                                                         3\n\x0chas taken important steps to address institutions\xe2\x80\x99 OFAC compliance at FDIC-supervised\nfinancial institutions.\n\nThe FDIC, however, could enhance its supervisory approach to OFAC compliance by\nmonitoring and tracking financial institution OFAC sanctions violations, compliance program\ndeficiencies, and OFAC-related enforcement actions (DSC\xe2\x80\x99s Supervisory Approach to OFAC\nCompliance).\n\nFurther, examiner workpaper documentation and reports of examination could be improved with\nrespect to examination planning and contact with OFAC, completing core examination\nprocedures, and concluding on the adequacy of OFAC compliance programs and interdiction\nsystems10 used by FDIC-supervised financial institutions (Documentation of DSC\xe2\x80\x99s OFAC\nReviews).\n\nWe also identified a matter for congressional consideration regarding examination and\nenforcement authorities associated with institution compliance with OFAC regulations.\nSpecifically, a more comprehensive statutory and regulatory framework exists for the\nexamination and enforcement of BSA compliance and the establishment of BSA compliance\nprograms than for OFAC compliance and a related program, although both BSA and OFAC\nrequirements address national security and law enforcement concerns (Matter for\nCongressional Consideration \xe2\x80\x93 Authorities for Supervision of OFAC Compliance).\n\n\nDSC\xe2\x80\x99S SUPERVISORY APPROACH TO OFAC COMPLIANCE\n\nDSC\xe2\x80\x99s supervisory approach to OFAC compliance includes examinations of controls established\nand implemented by FDIC-supervised financial institutions to ensure compliance with OFAC\nregulations. For the examinations we reviewed, FDIC examiners generally followed interagency\nguidelines in assessing the appropriateness of controls implemented and whether those controls\nwere commensurate with financial institutions\xe2\x80\x99 OFAC risk assessments. In addition, DSC has\ntaken the following steps to address institutions\xe2\x80\x99 OFAC compliance:\n\n     \xe2\x80\xa2   participated in developing and issuing interagency guidance for examiners and banking\n         organizations, including notifications on updates to OFAC\xe2\x80\x99s SDN list;\n\n     \xe2\x80\xa2   conducted OFAC-related training and outreach activities for examiners and the banking\n         industry;\n\n     \xe2\x80\xa2   issued BSA-related Cease & Desist (C&D) Orders that include OFAC-related provisions;\n         and\n\n     \xe2\x80\xa2   signed an interagency Memorandum of Understanding (MOU), which governs\n         information-sharing between the FBAs and OFAC.\n\n\n10\n  Financial institutions may use \xe2\x80\x9cinterdiction\xe2\x80\x9d software packages to compare transactions and accounts against the\nOFAC SDN list and assist the institution in determining which transactions and/or accounts should be blocked or\nrejected.\n\n                                                       4\n\x0cDSC could, however, enhance its supervisory approach to OFAC compliance by monitoring and\ntracking financial institution OFAC sanctions violations, compliance program deficiencies, and\nOFAC-related enforcement actions. These steps could assist the FDIC and OFAC in better\naddressing the risks associated with financial institution noncompliance with OFAC regulations\nand sanctions.\n\nEvaluation of OFAC Compliance\n\nDSC has implemented interagency guidelines for evaluating institutions\xe2\x80\x99 OFAC compliance and\ntaken additional steps in support of OFAC regulations. According to the FFIEC BSA/AML\nExamination Manual, to facilitate an examiner\xe2\x80\x99s understanding of the financial institution\xe2\x80\x99s risk\nprofile and to adequately scope an OFAC examination, an examiner should review the financial\ninstitution\xe2\x80\x99s:\n\n   \xe2\x80\xa2   OFAC risk assessment that considers types of products, services, customers, transactions,\n       and geographic locations;\n\n   \xe2\x80\xa2   independent testing of its OFAC program;\n\n   \xe2\x80\xa2   correspondence received from OFAC and, as needed, OFAC\xe2\x80\x99s Web site to determine\n       whether the institution has received any warning letters, fines, or penalties imposed by\n       OFAC since the most recent examination; and\n\n   \xe2\x80\xa2   correspondence related to periodic reporting of prohibited transactions and, if applicable,\n       annual reports on blocked property.\n\nThe manual states that it is not the FBAs\xe2\x80\x99 primary role to identify OFAC violations. Rather, the\nexamination procedures are designed to help examiners determine whether financial institutions\nhave policies, procedures, and processes in place for compliance with OFAC laws and\nregulations commensurate with an institution\xe2\x80\x99s OFAC risk profile. DSC officials stated that if\nexaminers identify significant issues with OFAC compliance during examinations, examiners\nmay conduct additional transactional testing related to those issues.\n\nAdditional steps taken by the FDIC in support of OFAC regulations and sanctions are described\nbelow.\n\nInteragency Guidance. DSC participated in the development of the FFIEC BSA/AML\nExamination Manual, issued in June 2005, and an updated version issued in July 2006. The\nproject was a collaborative effort by the FBAs, OFAC, and FinCEN to ensure consistency in the\napplication of the BSA/AML and OFAC regulations. With respect to OFAC compliance, the\nmanual provides:\n\n   \xe2\x80\xa2   expectations on OFAC compliance program elements;\n\n   \xe2\x80\xa2   information on financial institutions\xe2\x80\x99 responsibilities to report blocked and rejected\n       accounts or transactions to OFAC;\n\n   \xe2\x80\xa2   core procedures related to OFAC examinations; and\n                                               5\n\x0c   \xe2\x80\xa2   an OFAC risk matrix, which examiners should use, as appropriate, when assessing a\n       financial institution\xe2\x80\x99s risk of encountering OFAC issues.\n\nThe manual is available to the banking industry as a reference guide for OFAC-related issues. In\naddition, DSC has issued financial institution letters (FIL) to announce new regulations and\npolicies, including updates to OFAC\xe2\x80\x99s SDN list.\n\nExaminer Training and Outreach Activities. DSC has conducted and/or participated in a\nnumber of activities to familiarize examiners and financial institutions with guidance in the\nFFIEC BSA/AML Examination Manual. These events included:\n\n   \xe2\x80\xa2   a training Webcast in July 2005 for approximately 1,200 federal and state bank examiners\n       to discuss the BSA/AML manual;\n\n   \xe2\x80\xa2   a series of teleconferences in August 2005 for bankers that included an overview of the\n       BSA/AML manual and a question-and-answer session;\n\n   \xe2\x80\xa2   banker outreach and examiner training events in August 2005 in 5 major U.S. cities; and\n\n   \xe2\x80\xa2   nationwide BSA/AML conference calls for the examination staff and financial\n       institutions in September 2006 to discuss the July 2006 changes to the FFIEC BSA/AML\n       Examination Manual. More than 1,500 examiners and 10,650 bankers and industry\n       representatives participated.\n\nIn addition, according to the FFIEC Annual Report 2005, the FFIEC has conducted extensive\noutreach activities with federal and state examiners and the banking industry on the FFIEC\nBSA/AML Examination Manual and regulatory expectations, reaching more than 23,000 bankers\nand examiners.\n\nOFAC-Related Enforcement Actions. The FDIC has included OFAC-related provisions in\nBSA-related C&Ds. We reviewed the FDIC Enforcement Decisions and Orders Web site to\nidentify C&Ds that included OFAC provisions for the period January 2004 through August 11,\n2006. Although we did not identify any OFAC-specific C&Ds, we identified 10 cases in which\nthe FDIC had included OFAC provisions in BSA-related C&Ds. Those OFAC provisions\nprimarily related to financial institutions that had not implemented an adequate OFAC\ncompliance program and/or institutions that had not implemented policies and procedures to\nensure account databases were adequately compared against the OFAC SDN list.\n\nInformation Sharing With OFAC. To increase the level and extent of information sharing, the\nFBAs signed an MOU with OFAC in April 2006. In accordance with the MOU, the FBAs and\nOFAC can share information regarding OFAC\xe2\x80\x99s administration and enforcement of economic\nsanctions, compliance with OFAC regulations by financial institutions, and financial institutions\xe2\x80\x99\nviolations of OFAC sanctions. Specifically, the FBAs are to notify OFAC of:\n\n   \xe2\x80\xa2   apparent, unreported sanctions violations identified during examinations of financial\n       institutions;\n\n                                              6\n\x0c     \xe2\x80\xa2   significant deficiencies11 in a banking organization\xe2\x80\x99s policies, procedures, and processes\n         for ensuring compliance with OFAC regulations.\n\nIn turn, OFAC will notify the respective FBA of enforcement actions OFAC takes against a\nfinancial institution. In August 2006, DSC issued a memorandum to its regional offices to\nformally communicate the information-sharing provisions of the MOU and establish a process\nfor the exchange of information with OFAC.\n\nSupervisory Monitoring\n\nDSC has not established a comprehensive process for monitoring and tracking financial\ninstitution OFAC sanctions violations, compliance program deficiencies, or OFAC-related\nenforcement actions. DSC field staff review OFAC-related concerns on an examination-by-\nexamination basis. Further, DSC does not consolidate this information to identify institution,\nregional, or national trends or patterns of noncompliance or program deficiencies. Specifically,\nwe found that OFAC compliance information for FDIC-supervised institutions was not available\non the following items:\n\n     \xe2\x80\xa2   the number of violations of OFAC regulations,\n\n     \xe2\x80\xa2   specific financial institutions that had not implemented the expected OFAC compliance\n         program elements,\n\n     \xe2\x80\xa2   FDIC enforcement actions that include provisions related to OFAC noncompliance,\n\n     \xe2\x80\xa2   OFAC enforcement actions against FDIC-supervised financial institutions for apparent\n         violations of trade or economic sanctions, or\n\n     \xe2\x80\xa2   historical examination results related to OFAC compliance.\n\nIn a prior audit report issued in March 2004, we reported that the FDIC tracked supervisory\nactions related to BSA violations.12 Similarly, in another prior report issued in September 2006,\nwe noted that the FDIC also tracks supervisory actions related to a range of other regulatory\ncompliance requirements.13\n\nIn the absence of monitoring data from DSC, we contacted OFAC for information on FDIC-\nsupervised institutions. OFAC identified nine instances during 2004 and 2005 in which FDIC-\n\n11\n   A significant deficiency is a systemic or pervasive compliance deficiency or reporting and recordkeeping\nviolation, including a situation in which a banking organization fails to respond to supervisory warnings concerning\nOFAC compliance deficiencies or systemic violations.\n12\n   On March 31, 2004, the FDIC OIG issued Audit Report No. 04-017 entitled, Supervisory Actions Taken for Bank\nSecrecy Act Violations. The audit objective was to determine whether DSC had adequately followed up on reported\nBSA violations to ensure that institutions implemented appropriate corrective action.\n13\n   On September 29, 2006, the FDIC OIG issued Audit Report No. 06-024 entitled, Division of Supervision and\nConsumer Protection\xe2\x80\x99s Supervisory Actions Taken for Compliance Violations. The audit objective was to determine\nwhether DSC had adequately addressed the violations and deficiencies reported in compliance examinations to\nensure that FDIC-supervised institutions took appropriate corrective action.\n\n\n                                                       7\n\x0csupervised financial institutions may have violated sanctions by failing to block transactions as\nfar back as 2001. The FDIC was aware of some, but not all, of the nine instances. At the time\nthat we contacted OFAC, only two of those nine instances had been resolved by OFAC.\n\nConclusion\n\nDSC has implemented interagency guidelines for evaluating institutions\xe2\x80\x99 OFAC compliance and\ntaken additional steps in support of OFAC regulations. However, DSC has not implemented\ncertain supervisory controls for OFAC compliance, such as a system or process to monitor and\ntrack OFAC program deficiencies, institutions that may have violated OFAC sanctions, and\nenforcement actions taken by the FDIC and/or OFAC. As a result, the level of focus placed on\nOFAC compliance may not be sufficient to ensure that financial institutions implement the\nnecessary controls to comply with OFAC regulations and take necessary actions to correct\nidentified deficiencies and prevent future deficiencies or violations.\n\nDSC could enhance its supervisory approach to OFAC compliance by monitoring and tracking\nfinancial institution violations of OFAC sanctions, compliance program deficiencies, and OFAC-\nrelated enforcement actions. A monitoring and tracking process would assist the FDIC in\nidentifying those financial institutions that may have a history of not implementing effective\ncontrols to ensure compliance with OFAC regulations and, subsequently, may require further\nsupervisory and/or enforcement consideration.\n\nRecommendation\n\nWe recommend that the Director, DSC:\n\n1. Implement a process to monitor and track OFAC sanctions violations, deficient OFAC\n   compliance programs, and OFAC-related enforcement actions to assist in monitoring OFAC\n   compliance.\n\nCorporation Comments and OIG Evaluation\n\nThe Director, DSC, provided a written response to a draft of this report on December 8, 2006.\nDSC\xe2\x80\x99s response is presented in its entirety in Appendix III of this report. DSC concurred with\nrecommendation 1 and implemented a process in November 2006 to track and monitor OFAC\nsanctions violations and program compliance deficiencies. This process will help support DSC\xe2\x80\x99s\ncoordination with OFAC, such as on the seven unresolved instances OFAC identified in 2004-\n2005 in which FDIC-supervised institutions may have violated OFAC sanctions. DSC\xe2\x80\x99s action\nfor recommendation 1 is responsive, and we consider the recommendation resolved. However,\nthe recommendation will remain open until we have determined that this action has been\ncompleted and is effective. Appendix IV presents a summary of DSC\xe2\x80\x99s responses to our\nrecommendations.\n\n\n\n\n                                               8\n\x0cDOCUMENTATION OF DSC\xe2\x80\x99S EXAMINATION COVERAGE OF FINANCIAL\nINSTITUTION OFAC COMPLIANCE\n\nAs instructed by the FFIEC BSA/AML Examination Manual OFAC core examination procedures,\nexaminers generally (1) relied on the financial institutions\xe2\x80\x99 risk assessments and the results of the\ninstitutions\xe2\x80\x99 internal or external audits and (2) included documentation in the examination\nworkpapers on financial institutions\xe2\x80\x99 OFAC compliance programs, including OFAC-related\npolicies and procedures, a designated compliance officer, internal controls, training, and\nindependent testing. However, examiner workpaper documentation and reports of examination\ncould be improved with respect to examination planning and contact with OFAC, completing\ncore examination procedures, and concluding on the adequacy of OFAC compliance programs\nand interdiction systems used by the institutions. More complete documentation would ensure\nthat examiner conclusions regarding financial institutions\xe2\x80\x99 controls established and implemented\nfor OFAC compliance are adequately documented, supported, and reported.\n\nDSC\xe2\x80\x99s Regional Directors Memorandum entitled, Guidelines for Examination Workpapers and\nDiscretionary Use of Examination Documentation Modules (Transmittal 2001-039, dated\nSeptember 25, 2001), defines standards for examination workpaper documentation. According\nto the guidelines, examination documentation should (1) demonstrate a clear trail of decisions\nand supporting logic and (2) provide written support for examination and verification procedures\nperformed and conclusions reached and support the assertions of fact or opinion in reports of\nexamination. Although the use of Examination Documentation (ED) Modules14 is discretionary,\nthe guidelines recommend that examiners use the ED Modules for the BSA examinations, which\ninclude reviews of OFAC policies and procedures. DSC updated the ED Modules in July 2006\nby incorporating the BSA/AML examination procedures, which include procedures for OFAC\ncompliance.\n\nWe reviewed examination documentation on OFAC reviews conducted by 2 DSC regional\noffices for 16 financial institutions and made the following observations.\n\n     \xe2\x80\xa2   Examination pre-planning documentation explicitly addressed OFAC compliance as a\n         factor in determining the scope of examinations for 6 of the 16 institutions, while the pre-\n         planning documentation for the other examinations did not specifically mention OFAC\n         compliance. In some of these cases, examiners addressed BSA compliance in the\n         examination pre-planning documentation, but it was not clear whether OFAC compliance\n         had been considered. According to DSC guidance, examiners are to limit information in\n         the pre-examination planning memoranda to an \xe2\x80\x9cexception only\xe2\x80\x9d basis for areas\n         considered higher or lower-than-normal risk. Examiners are not required to comment on\n         areas subject to regular examination procedures. Thus, we could not determine whether\n         examiners had not considered OFAC compliance or there was \xe2\x80\x9cnormal\xe2\x80\x9d risk that did not\n         warrant mention in the pre-planning documentation.\n\n14\n  The ED Modules are an examination tool that focuses on risk management practices and guides examiners to\nestablish the appropriate examination scope. The modules incorporate questions and points of consideration into\nexamination procedures to specifically address a bank's risk management strategies for each of its major business\nactivities. In addition, the modules direct examiners to consider areas of potential risk and associated risk control\npractices, thereby facilitating a more effective supervisory program.\n\n\n                                                         9\n\x0c   \xe2\x80\xa2   Although examiners reviewed OFAC correspondence that the financial institution\n       maintained, there was no indication whether examiners had contacted their regional\n       office, DSC headquarters, or OFAC before, during, or after the examination to determine\n       whether those institutions have had any OFAC compliance civil money penalties or\n       warning/cautionary letters or whether OFAC was conducting investigations or audits\n       related to the financial institution being examined.\n\n   \xe2\x80\xa2   Examination documentation of the extent of work completed was inconsistent for the\n       OFAC-related core examination procedures provided in the FFIEC BSA/AML\n       Examination Manual. For 5 of the 16 examinations, the core procedures had not been\n       completed. Additionally, in four cases, examiners used check marks or symbols for some\n       of the procedures without providing explanations of the symbols. However, in cases\n       where the core procedures had not been completed, the workpapers contained evidence of\n       documentation for some of the procedure steps. On the other hand, in seven cases,\n       examiners provided detailed responses for each core procedure question.\n\n   \xe2\x80\xa2   Examination workpapers and reports of examination did not usually include an overall\n       conclusion on the sufficiency of the financial institution\xe2\x80\x99s OFAC compliance program or\n       the effectiveness of the financial institution\xe2\x80\x99s interdiction system used to compare the\n       institution\xe2\x80\x99s accounts and transactions to the OFAC SDN list. Specifically, for 5 of the\n       16 examinations, the examination results did not include the examiner\xe2\x80\x99s conclusion on\n       the sufficiency of the bank\xe2\x80\x99s OFAC compliance program. Documentation for only 2 of\n       the 16 examinations presented conclusions on the adequacy of the financial institution\xe2\x80\x99s\n       interdiction system.\n\nAdditionally, we found it was difficult to identify information on the results of OFAC reviews\nbecause such information is embedded within the BSA/AML examination comments when\nBSA/AML deficiencies are identified. The FFIEC BSA/AML Examination Manual states that\nBSA and OFAC regulations are distinct and separate. However, financial institutions generally\nincorporate procedures related to OFAC compliance programs into BSA programs. For\nexample, a financial institution\xe2\x80\x99s OFAC officer is likely to be the institution\xe2\x80\x99s BSA compliance\nofficer, OFAC training is often conducted simultaneously with BSA training, independent testing\nof the OFAC program may be conducted concurrently with independent testing of the BSA\nprogram, and OFAC policies and procedures may be included in the financial institution\xe2\x80\x99s\noverall BSA policies and procedures. One DSC official stated that all BSA/AML examinations\nshould include a review of a bank\xe2\x80\x99s OFAC compliance; however, we found that examiners were\nnot consistent in including OFAC-related issues in examination comments.\n\nConsistent and comprehensive documentation and reporting of OFAC compliance would better\nassist the FDIC and subsequent examination teams in ensuring financial institution compliance\nwith OFAC laws and regulations. Additional examination guidance could help ensure that\nOFAC concerns are clearly identified apart from BSA-related observations.\n\n\n\n\n                                            10\n\x0cRecommendations\n\nWe recommend that the Director, DSC:\n\n2. Issue examination guidance to clarify the nature and extent of documentation expected for\n   OFAC examination coverage, including documentation related to the planned scope of\n   OFAC compliance coverage, OFAC actions related to the institution, the completion of core\n   examination procedures, examination results and conclusions, and the effectiveness of the\n   institution\xe2\x80\x99s interdiction system.\n\n3. Issue examination guidance on including the scope of work performed and conclusions on\n   OFAC compliance in reports of examination.\n\n4. Issue examination guidance to ensure that OFAC concerns at financial institutions are clearly\n   identified apart from BSA-related observations for monitoring and tracking purposes.\n\nCorporation Comments and OIG Evaluation\n\nThe Director, DSC, provided a written response to a draft of this report on December 8, 2006.\nDSC\xe2\x80\x99s response is presented in its entirety in Appendix III of this report. DSC concurred with\nrecommendation 2 and agreed with the intent of recommendations 3 and 4.\n\nThe FDIC and the other FBAs issued the Revised Bank Secrecy Act/Anti-Money Laundering\nExamination Manual in July 2006, which provides additional OFAC examination guidance and\naddresses aspects of recommendations 2 and 3. For recommendations 2 and 4, DSC agreed to\nreview its examination guidance and by September 30, 2007, issue revised guidance or\nreminders to examiners, where necessary, to clarify the nature and extent of documentation\nexpected for OFAC examination coverage. With respect to recommendation 3, DSC issued\nexamination guidance on December 1, 2006, addressing the presentation of the scope of\nexamination work and conclusions on OFAC compliance in reports of examination. The\nguidance adequately addresses our concerns. Therefore, we consider recommendation 3 to be\nresolved and closed.\n\nDSC\xe2\x80\x99s completed and planned actions for recommendations 2 and 4 are responsive to the\nrecommendations, and we consider these recommendations resolved. However, these\nrecommendations will remain open until we have determined that agreed-to corrective actions\nhave been completed and are effective. Appendix IV presents a summary of DSC\xe2\x80\x99s responses to\nour recommendations.\n\n\nMATTER FOR CONGRESSIONAL CONSIDERATION \xe2\x80\x93 AUTHORITIES FOR\nSUPERVISION OF OFAC COMPLIANCE\n\nAs shown in detail in Appendix II, a more comprehensive statutory and regulatory framework\nexists for ensuring compliance with the BSA than for OFAC compliance, although both laws\naddress national security and law enforcement concerns. The following sections summarize our\nanalysis of the differences and their potential implications.\n\n                                             11\n\x0cExamination and Enforcement Authority for BSA Compliance\n\nUnder Sections 8 and 10 of the Federal Deposit Insurance (FDI) Act, the FDIC has plenary\nauthority to examine banks and enforce compliance with laws and regulations. Nevertheless, the\nTreasury Department has overall authority for BSA enforcement and compliance and has\ndelegated examination authority to the FBAs for institution compliance with BSA record-\nkeeping and reporting requirements. Further, of particular note:\n\n   \xe2\x80\xa2   Section 8 of the FDI Act provides direct authority to the FBAs for BSA examination and\n       enforcement.\n\n   \xe2\x80\xa2   The FDI Act requires each FBA to (1) prescribe regulations requiring insured depository\n       institutions to establish and maintain procedures reasonably designed to ensure and\n       monitor compliance with the BSA, (2) review such procedures during examinations,\n       (3) enforce compliance with the BSA monetary transaction recordkeeping and reporting\n       requirements, and (4) issue C&Ds when deemed appropriate.\n\n   \xe2\x80\xa2   The FDI Act authorizes the FBAs to impose civil money penalties for violations of C&D\n       provisions.\n\nAdditionally, the FDIC Rules and Regulations, section 326.8, Bank Secrecy Act Compliance,\noutlines the compliance program elements that FDIC-supervised banks must establish and\nmaintain to assure and monitor their compliance with BSA recordkeeping and reporting\nprovisions.\n\nFailure by an FDIC-supervised financial institution to comply with the BSA requirements can\nresult in regulatory actions by the Treasury Department and/or the FDIC. The BSA and its\nunderlying regulations give the Treasury Department authority to assess civil money penalties\nfor violations and to refer cases to the Department of Justice for possible criminal prosecution.\nThe FDIC is required to report all identified BSA violations to the Treasury Department and to\nrefer violations that warrant penalties. Such referrals, however, do not preclude the FDIC from\ntaking regulatory action when BSA violations are identified.\n\nExamination and Enforcement Authority for OFAC Compliance\n\nThe statutory and regulatory framework for OFAC compliance is generally limited to OFAC-\nspecific oversight and enforcement activities and focuses on transaction and account-level\nrequirements and penalties. Specifically, as discussed earlier, OFAC has overall responsibility\nfor developing, promulgating, and administering sanctions for the Treasury Department. In\naddition:\n\n   \xe2\x80\xa2   OFAC can review an institution\xe2\x80\x99s compliance with OFAC-administered economic\n       sanctions programs and take enforcement action through delegations of authority from\n       the Secretary of the Treasury. However, these authorities have not been delegated to the\n       FBAs that routinely perform OFAC compliance reviews as part of BSA/AML\n       examinations. Additionally, the Government Accountability Office (GAO) and Treasury\n       Department OIG have concluded that OFAC is limited in its ability to monitor financial\n\n                                              12\n\x0c         institution compliance with foreign sanction requirements and does not have the authority\n         to conduct examinations or proactively monitor financial institutions for compliance.15\n\n     \xe2\x80\xa2   Executive Order 13224 expanded the scope of U.S. sanctions against international\n         terrorists and terrorist organizations and OFAC\xe2\x80\x99s authority related to such activities.\n         However, the Executive Order was not accompanied by comparable changes in the\n         statutory framework for OFAC compliance. Additionally, the Executive Order did not\n         address the FBAs\xe2\x80\x99 authority in this area.\n\n     \xe2\x80\xa2   Although financial institutions must comply with OFAC regulations and sanctions, there\n         are no laws or regulations requiring institutions to have an OFAC compliance program.\n         Therefore, the FBAs and OFAC must rely on financial institutions to implement\n         appropriate controls to ensure compliance with OFAC-related laws and regulations as a\n         matter of sound banking practice, not as a requirement. DSC officials have stated that\n         (1) FDIC-supervised financial institutions are complying, to a great extent, with OFAC\n         requirements and that (2) the lack of a statutory or regulatory requirement has not limited\n         the extent of the FDIC\xe2\x80\x99s oversight and supervision of OFAC compliance programs.\n\n     \xe2\x80\xa2   The FBAs lack specific statutory and regulatory authority for taking enforcement actions\n         associated with institution noncompliance with OFAC regulations. Instead, U.S.C.\n         Title 12 authorizes the FBAs to take certain enforcement actions if they determine that an\n         institution is engaging in unsafe and unsound practices or has violated any applicable law\n         or regulation. The FBAs have interpreted this authority to allow them to take formal\n         enforcement actions aimed at addressing violations of OFAC regulations. However, we\n         did not identify any instances in which the FDIC had taken enforcement actions solely\n         related to OFAC sanctions violations or program deficiencies. Rather, some supervisory\n         actions that addressed BSA violations and deficiencies also addressed OFAC\n         deficiencies.\n\nThe FDIC and OFAC have provided guidance to financial institutions that outline controls that\nfinancial institutions are expected to implement to ensure compliance with OFAC requirements.\nThe guidance states that financial institutions should establish and implement controls similar to\nthose required for BSA compliance programs. According to the FFIEC BSA/AML Examination\nManual, as a matter of sound banking practice and in order to ensure compliance with OFAC\nregulations, financial institutions should establish and maintain an effective, written OFAC\ncompliance program commensurate with their specific product lines, customer base, nature of\ntransactions, and identification of high-risk areas for OFAC transactions. Recognizing high-risk\nareas, an institution should include in its compliance program appropriate internal controls\nnecessary to meet established expectations and ensure compliance. Those controls should\ninclude:\n\n15\n  GAO report entitled, Foreign Regimes\xe2\x80\x99 Assets: The United States Faces Challenges in Recovering Assets, but Has\nMechanisms That Could Guide Future Efforts (GAO-04-1006, dated September 14, 2004), and Treasury\nDepartment OIG report entitled, Foreign Assets Control: OFAC\xe2\x80\x99s Ability To Monitor Financial Institution\nCompliance Is Limited Due To Legislative Impairments (OIG-02-082, dated April 26, 2002). According to OFAC,\nhowever, to the extent that these reports may be understood to conclude that its authority to conduct compliance\nreviews is impaired, OFAC respectfully disagrees.\n\n\n                                                    13\n\x0c     \xe2\x80\xa2   a risk assessment based on product lines, customer base, nature of transactions, and\n         identification of high-risk areas for OFAC transactions;\n     \xe2\x80\xa2   policies and procedures;\n     \xe2\x80\xa2   a designated compliance officer;\n     \xe2\x80\xa2   a system of internal controls;\n     \xe2\x80\xa2   training; and\n     \xe2\x80\xa2   independent testing.\n\nIn addition, OFAC\xe2\x80\x99s guidance entitled, Foreign Assets Control Regulations for the Financial\nCommunity, dated November 23, 2005,16 outlines the type of controls that could be implemented\nto ensure that financial institutions properly identify and block or reject prohibited transactions\nand report these transactions to OFAC. The guidance, however, does not constitute a legally-\nenforceable requirement for a compliance program.\n\nConclusion\n\nAlthough Executive Order 13224 expanded the scope of U.S. sanctions against international\nterrorists and terrorist organizations, and OFAC\xe2\x80\x99s authority related to such, there was no\nstatutory change to recognize OFAC\xe2\x80\x99s expanded authority. Additionally, the Order did not\naddress the FBAs\xe2\x80\x99 authorities related to OFAC examination coverage or enforcement. Whether\nadditional and specific authority is needed to better ensure compliance with OFAC regulations\nand sanctions is a matter for congressional consideration. In that regard, we are providing this\ninformation to assist the Congress in considering whether more specific statutory authorities,\nparticularly as they relate to OFAC compliance programs and enforcement action, would\nheighten the extent of institution and regulatory attention to this area and help mitigate the\nincreased risk associated with terrorist and other criminal activities using the Nation\xe2\x80\x99s financial\nsystem.\n\n\n\n\n16\n   The January 12, 2006 Federal Register contained guidance on OFAC enforcement procedures entitled, Economic\nSanctions Enforcement Procedures for Banking Institutions, taking into account that each financial institution\xe2\x80\x99s\nsituation is different and that financial institutions\xe2\x80\x99 compliance programs should be tailored to their unique\ncircumstances. OFAC\xe2\x80\x99s review of information may include, but not be limited to, the evaluation of a financial\ninstitution\xe2\x80\x99s OFAC compliance program by its primary federal regulator; the institution\xe2\x80\x99s history of OFAC\ncompliance; the circumstances surrounding any apparent violation, including what appear to be patterns or\nweaknesses in an institution\xe2\x80\x99s compliance program and whether they indicate negligence or a fundamental flaw in\nthe compliance effort or system and whether they were voluntarily disclosed; and enforcement information provided\nby the institution to OFAC.\n\n                                                     14\n\x0c                                                                                     APPENDIX I\n\n                         OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\nThe objective of this audit was to determine whether DSC provides effective supervision of\ncompliance with OFAC regulations by FDIC-supervised institutions. To address our audit\nobjective, we (1) assessed the FDIC\xe2\x80\x99s statutory and regulatory authorities for ensuring OFAC\ncompliance by the institutions it supervises, (2) reviewed DSC\xe2\x80\x99s supervisory and examination\nprocesses for OFAC compliance, and (3) reviewed 16 sampled examinations for DSC coverage\nof OFAC compliance.\n\nThis report discusses statutory and regulatory issues that have a bearing on the FDIC\xe2\x80\x99s oversight\nof financial institutions\xe2\x80\x99 OFAC compliance programs. These issues may apply equally to the\nother FBAs, which also examine financial institutions for OFAC compliance. In addition, this\nreport includes observations from our review of OFAC examination coverage by DSC at\nsampled financial institutions. We performed our audit from March through August 2006 in\naccordance with generally accepted government auditing standards.\n\nScope and Methodology\n\nWe performed the following steps to address the audit objective.\n\n   \xe2\x80\xa2   Interviewed FDIC officials at DSC headquarters in Washington, D.C., and the Atlanta\n       and New York Regional Offices.\n\n   \xe2\x80\xa2   Identified applicable laws, regulations, criteria, and other guidance on OFAC and BSA\n       compliance as follows:\n\n            \xe2\x80\xa2   OFAC regulations, C.F.R. Title 31, Money and Finance Treasury Part V-Foreign\n                Assets Control Regulations, (31 C.F.R., Chapter V).\n\n            \xe2\x80\xa2   OFAC guidance, entitled, Foreign Assets Control Regulations for the Financial\n                Community, dated November 23, 2005.\n\n            \xe2\x80\xa2   OFAC guidance in the Federal Register entitled, Economic Sanctions Enforcement\n                Procedures for Banking Institutions, dated January 12, 2006 (Interim final rule\n                31 C.F.R. Part 501).\n\n            \xe2\x80\xa2   Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311\n                et seq., also known as the Currency and Foreign Transactions Reporting Act.\n\n            \xe2\x80\xa2   31 C.F.R. Part 103, Financial Recordkeeping and Reporting of Currency and\n                Foreign Transactions, the BSA\xe2\x80\x99s implementing regulation.\n\n            \xe2\x80\xa2   FDIC Rules and Regulations:\n\n                     \xc2\x83   Section 326.8, codified to 12 C.F.R. Section 326.8,\n                     \xc2\x83   Section 337.12, codified to 12.C.F.R. Section 337.12, and\n                                                15\n\x0c                                                                                 APPENDIX I\n\n                    \xc2\x83   Section 353, codified to 12 C.F.R. Section 353.\n\n           \xe2\x80\xa2   Section 8 and Section 10(b) of the FDI Act.\n\n           \xe2\x80\xa2   DSC\xe2\x80\x99s examination policies and procedures, including:\n\n                    \xc2\x83   Risk Management Manual of Examination Policies, Section 8.1, Bank\n                        Secrecy Act, Anti-Money Laundering and Office of Foreign Assets\n                        Control.\n\n                    \xc2\x83   FFIEC BSA/AML Examination Manual, issued June 30, 2005 and updated\n                        July 28, 2006.\n\n          \xe2\x80\xa2    FILs announcing the issuance of the FFIEC BSA/AML Examination Manual and\n               updates to the OFAC SDN list.\n\n   \xe2\x80\xa2   Reviewed DSC\xe2\x80\x99s Regional Directors Memoranda entitled, Guidelines for Examination\n       Workpapers and Discretionary Use of Examination Documentation Modules, Transmittal\n       2001-039; Monitoring and Tracking of BSA Problem Institutions, Transmittal 2004-025;\n       and Compliance with Office of Foreign Assets Control Memorandum of Understanding,\n       Transmittal 2006-024.\n\n   \xe2\x80\xa2   Reviewed the Right to Financial Privacy Act (RFPA) of 1978 (12 U.S.C. Section 3401),\n       which governs the sharing of financial information held by financial institutions.\n\n   \xe2\x80\xa2   Met with OFAC officials and reviewed the Treasury Department\xe2\x80\x99s OIG and Government\n       Accountability Office (GAO) reports on OFAC compliance.\n\n   \xe2\x80\xa2   Identified applicable laws and regulations related to DSC\xe2\x80\x99s examination and enforcement\n       authority for BSA/AML and OFAC.\n\n   \xe2\x80\xa2   Reviewed a judgmental sample of 16 financial institution BSA/AML examinations\n       started on or after September 1, 2005 and ended on or before April 10, 2006 to determine\n       the extent of examination coverage for OFAC compliance. We reviewed reports of\n       examination and examination workpapers that included preplanning documentation,\n       financial institution BSA/AML and OFAC risk assessments, core examination\n       procedures, correspondence files, documentation supporting OFAC training, independent\n       testing, policies and procedures, updates to the SDN list, and designations of an OFAC\n       compliance officer.\n\n   \xe2\x80\xa2   Reviewed information on possible FDIC-supervised financial institutions\xe2\x80\x99 failures to\n       comply with OFAC regulations.\n\n   \xe2\x80\xa2   Reviewed the FDIC\xe2\x80\x99s Web site for information on C&Ds issued for BSA and/or OFAC\n       noncompliance for January 1, 2004 through August 11, 2006.\n\nIn addition, we coordinated with the FDIC Ombudsman\xe2\x80\x99s Office to determine whether that office\nhad (1) received general concerns, comments, or complaints related to OFAC compliance or\n(2) generated any related trend information or bankers\xe2\x80\x99 perspectives. The Ombudsman\xe2\x80\x99s Office\n                                              16\n\x0c                                                                                    APPENDIX I\n\nresponded that it did not have a sufficient basis on which to identify trends regarding OFAC nor\nwould such data address our audit\xe2\x80\x99s goal of determining the effectiveness of the FDIC\xe2\x80\x99s\nsupervision of state non-member banks\xe2\x80\x99 compliance with OFAC regulations.\n\nIn addition, we coordinated with the OIGs for Treasury, FRB, and NCUA regarding previous or\nongoing audit work related to OFAC compliance.\n\nEvaluation of Internal Controls\n\nWe gained an understanding of the internal control activities relevant to the FDIC\xe2\x80\x99s examination\nprocess for OFAC compliance by identifying and reviewing applicable policies and procedures\nrelated to the FDIC\xe2\x80\x99s examination of financial institution examination for OFAC compliance,\nincluding guidance provided to FDIC examiners (FFIEC BSA/AML Examination Manual, DSC\nRisk Management of Examination Policies, FILs, OFAC regulations, and OFAC guidance issued\nJanuary 12, 2006). Additionally, we interviewed DSC officials responsible for BSA/AML and\nOFAC examinations in DSC headquarters and selected regional and field offices.\n\nOur assessment of internal controls determined that the FDIC has implemented some internal\ncontrols and interagency guidance related to examinations of financial institution compliance\nwith OFAC regulations. However, controls related to the implementation of OFAC compliance\nprograms need improvement, as indicated in our Results of Audit.\n\nReliance on Computer-based Data\n\nWe used computer-based data and reports from the Virtual Supervisory Information on the Net\n(ViSION) system to identify the universe of examinations conducted from September 1, 2005\nthrough April 10, 2006. However, we did not test the reliability of computer-based data\nextracted from ViSION because the data were not significant to our conclusions or\nrecommendations.\n\nCompliance With Laws and Regulations\n\nWe reviewed applicable laws and regulations on OFAC compliance. We determined that there\nare no laws or regulations that apply to or require the FDIC\xe2\x80\x99s examination of financial\ninstitutions for OFAC compliance, except those that relate, in general, to the FDIC\xe2\x80\x99s overall\nexamination authority (Section 10(b) of the FDI Act, and Section 337.12 of the FDIC Rules and\nRegulations). In addition, we determined that the FDIC does not have specific authority to\nenforce OFAC compliance. In the absence of such specific authority, the FDIC relies on its\ngeneral authority to impose enforcement actions under Section 8 of the FDI Act to take action for\nOFAC compliance as it relates to operating a financial institution in an unsafe and unsound\nmanner or noncompliance with laws and regulations.\n\nAlthough financial institutions must comply with OFAC regulations and sanctions, no laws or\nregulations require financial institutions to have an OFAC compliance program. According to\nthe FDIC Risk Management Manual of Examination Policies, there are no regulatory program\nrequirements for institutions\xe2\x80\x99 OFAC compliance. Additionally, DSC officials stated that there\nare no express statutory or regulatory provisions for financial institutions to have programs that\ncomply with OFAC-administered laws or to check OFAC\xe2\x80\x99s SDN list before processing a\ntransaction or opening an account. However, DSC officials also indicated that failure to have an\n                                                17\n\x0c                                                                                    APPENDIX I\n\nadequate OFAC compliance program could be an unsafe and unsound practice. This report\nidentifies actions that DSC could take to improve management controls over the supervision of\nOFAC compliance.\n\nGovernment Performance and Results Act\n\nWe reviewed DSC\xe2\x80\x99s performance measures under the Government Performance and Results Act,\nPublic Law 103-62. We reviewed the FDIC\xe2\x80\x99s 2005-2010 Strategic Plan and 2006 Corporate\nAnnual Performance Plan to determine whether the FDIC has established goals related to OFAC\ncompliance. Neither plan includes goals, objectives, or indicators specifically related to OFAC\ncompliance. Those documents, however, include information related to BSA examinations and\ncompliance and reference OFAC in a discussion on BSA/AML training.\n\nFraud and Illegal Acts\n\nThe nature of the audit objective did not require that we assess the possibility for fraud and\nillegal acts. However, we were alert to the possibility of fraud and illegal acts, and none came to\nour attention during this audit.\n\nSummary of Prior Audit Coverage\n\nThe FDIC OIG has not previously performed an audit specifically focused on OFAC\nexamination coverage. However, on March 31, 2004, the FDIC OIG issued Audit Report No.\n04-017 entitled, Supervisory Actions Taken for Bank Secrecy Act Violations. That audit\naddressed FDIC BSA/AML examinations, which included coverage of OFAC compliance.\n\nWe reviewed audit reports related to OFAC compliance issued by the Treasury Department OIG\nand the GAO. The Treasury Department\xe2\x80\x99s OIG issued a report entitled, Foreign Assets Control:\nOFAC\xe2\x80\x99s Ability To Monitor Financial Institution Compliance Is Limited Due To Legislative\nImpairments (OIG-02-082, dated April 26, 2002), which concluded that OFAC is limited in its\nability to monitor financial institution compliance with foreign sanctions. The report\nrecommended that the Treasury Department inform the Congress that:\n\n   \xe2\x80\xa2   OFAC lacks sufficient authority to ensure financial institution compliance with foreign\n       sanctions, and\n\n   \xe2\x80\xa2   OFAC\xe2\x80\x99s ability to ensure financial institution compliance with foreign sanctions would\n       be enhanced through a legislative change that would enable bank regulators to share\n       information about their compliance examinations with OFAC.\n\nThe report concluded that information sharing could be accomplished by amending the RFPA to\ninclude OFAC in the definition of \xe2\x80\x9cbank regulator.\xe2\x80\x9d In response, OFAC agreed that its current\nlegislative authority could be improved in terms of the information shared by bank regulators but\nstated that, despite statutory limitations, OFAC and the financial regulators have created an\nadequate compliance system. In February 2004, OFAC\xe2\x80\x99s Director informed the Senate Finance\nCommittee that OFAC had engaged in discussions with the Treasury Department about the\ndesirability of adopting the recommendation for legislative change for information sharing and\nthat the Treasury Department was reviewing whether certain changes in the technical definitions\nof the RFPA would further enhance OFAC\xe2\x80\x99s ability to ensure compliance. The FBAs signed an\n                                               18\n\x0c                                                                                    APPENDIX I\n\nMOU with OFAC in April 2006 that governs information sharing between the FBAs and OFAC\nand addresses some of the limits on sharing individual financial account information by relying\non financial institutions to provide this information directly to OFAC, when needed.\n\nGAO issued a report entitled, Foreign Regimes\xe2\x80\x99 Assets: The United States Faces Challenges in\nRecovering Assets, but Has Mechanisms That Could Guide Future Efforts (GAO-04-1006, dated\nSeptember 14, 2004). GAO reported the following:\n\n   \xe2\x80\xa2   The primary way OFAC learns about violations of its regulations is through its review of\n       mandatory reports filed by financial institutions.\n\n   \xe2\x80\xa2   In every instance in which a U.S. bank has acted inappropriately, OFAC has sent\n       information regarding the transaction to the appropriate financial regulator.\n\n   \xe2\x80\xa2   In a limited number of instances, OFAC learns about violations of its regulations through\n       \xe2\x80\x9cself-disclosure\xe2\x80\x9d by financial institutions or when a second institution involved in a\n       transaction subsequent to the first institution blocks a transaction and notifies OFAC, thus\n       also informing OFAC of the first institution\xe2\x80\x99s involvement in the transaction.\n\nGAO also reported that OFAC\xe2\x80\x99s ability to monitor financial institutions\xe2\x80\x99 compliance with its\nregulations is hampered because the varied legislation under which OFAC operates does not\nprovide it with the authority to proactively monitor financial institution compliance with foreign\nsanctions. GAO further stated that OFAC\xe2\x80\x99s ability is limited because it does not have\nsupervisory authority over financial institutions and, thus, relies on the financial institutions\xe2\x80\x99\nregulators to monitor institutions\xe2\x80\x99 OFAC compliance programs. GAO recommended, among\nother things, that the Treasury Department seek legislative authority to allow financial regulators\nto share complete information from examinations. The Treasury Department responded that it\nwas working on this issue and was uncertain whether a legislative change was needed to allow\nOFAC access to information from financial regulators\xe2\x80\x99 examinations. In addition, the Treasury\nDepartment stated that it was working with the financial regulators for comprehensive\narrangements for information sharing. Our current audit addressed the information-sharing\nMOU signed by OFAC and the FBAs.\n\n\n\n\n                                              19\n\x0c                                                                                             APPENDIX II\n\n                       REGULATORY AUTHORITY AND OVERSIGHT\n                           FOR OFAC AND BSA COMPLIANCE\n\n      ELEMENT           OFAC BSA                    REGULATORY AUTHORITY AND OVERSIGHT\n REGULATIONS AND DELEGATED AUTHORITY\n Compliance Program       No       Yes   OFAC Regulations (31 C.F.R. Part V) require financial institutions to\n Required                                comply with sanctions; but there is no specific requirement for financial\n                                         institutions to implement an OFAC compliance program. FDIC Rules and\n                                         Regulations, Section 326.8 requires financial institutions to implement a\n                                         compliance program for BSA.\n FDIC Rules and           No       Yes   FDIC Rules and Regulations, Section 326.8 applies to BSA.\n Regulations\n Specific Delegated       No       Yes   The Treasury Department\xe2\x80\x99s FinCEN and FDI Act, Section 8 provide\n Authority                               delegated authority for BSA.\n COMPLIANCE PROGRAM\n Written Board-           Yes      Yes\n Approved Policies\n and Procedures\n Internal Controls        Yes      Yes    OFAC Regulations (31 C.F.R. Part V), FFIEC BSA/AML Examination\n Independent Testing      Yes      Yes    Manual; FDIC Section 326.8 for BSA; and Section 8(s) of the FDI Act.\n Compliance Officer       Yes      Yes\n Training                 Yes      Yes\n Legal Requirement        No       Yes\n EXAMINATION AND ENFORCEMENT AUTHORITY\n General Examination      Yes      Yes    FDI Act Section 10(b) examination authority and FDIC Rules and\n Authority                                Regulations, Section 337.12.\n Specific Examination     No       Yes    FDI Act Section 8 examination authority.\n Authority\n General Enforcement      Yes      Yes    FDI Act Section 8, which addresses the FDIC\xe2\x80\x99s authority to impose\n Authority                                formal enforcement actions for unsafe and unsound practices and\n                                          noncompliance with laws and regulations.\n Specific Enforcement     No       Yes    FDI Act Section 8(s) and Section 8(i); FDIC Rules and Regulations\n Authority                                Section 326.8 and Part 353, and Treasury Department\xe2\x80\x99s 31 C.F.R. Part\n                                          103 recordkeeping and reporting requirements for BSA.\n Other Entity             Yes      Yes    Treasury Department\xe2\x80\x99s OFAC for OFAC and Treasury Department\xe2\x80\x99s\n Authorized to                            FinCEN for BSA.\n Enforce Compliance\n SUPERVISORY MONITORING\n Cite and Track           No       Yes    Based on cited violations in accordance with FDIC Rules and Regulations\n Violations                               Section 326.8 and Part 353, and Treasury\xe2\x80\x99s 31 C.F.R. Part 103\n                                          recordkeeping and reporting requirements.\n Automated                No       Yes    FDIC\xe2\x80\x99s manual case-by-case review of ViSION data for OFAC issues.\n Monitoring System                        FDIC\xe2\x80\x99s automated system (ViSION) for BSA.\n or Process\n Monitoring and           No       Yes    Regional Directors Memorandum, Monitoring and Tracking of BSA\n Tracking of Problem                      Problem Institutions.\n Institutions\n EXAMINATION GUIDANCE\n Risk-Focused             Yes      Yes\n Examinations\n                                          FFIEC BSA/AML Examination Manual.\n Risk Matrix              Yes      Yes\n Core Procedures          Yes      Yes\n Expanded Procedures      No       Yes\nSource: OIG review of the FFIEC BSA/AML Examination Manual, FDIC examination guidance, FDIC Rules and\nRegulations, Treasury Department\xe2\x80\x99s BSA reporting and recordkeeping requirements and OFAC regulations, and the\nFDI Act.\n                                                    20\n\x0c\x0c     APPENDIX III\n\n\n\n\n22\n\x0c     APPENDIX III\n\n\n\n\n23\n\x0c                                                                                                                         APPENDIX IV\n\n\n\n\n                                    MANAGEMENT RESPONSE TO RECOMMENDATIONS\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the date\nof report issuance.\n                                                                                                                Open\n                                                                                                           a\n  Rec.             Corrective Action: Taken or                 Expected            Monetary    Resolved:         or\n  No.                      Planned/Status                   Completion Date        Benefits    Yes or No       Closedb\n          DSC has implemented a centralized process to     November 30, 2006         $0         Resolved        Open\n    1     track violations of OFAC sanctions and\n          institutions with compliance program\n          deficiencies. Records for all enforcement\n          actions, including those with OFAC\n          provisions, are stored in ViSION\xe2\x80\x99s Formal\n          and Informal Actions Tracking module.\n          DSC will review examination guidance for         September 30, 2007         $0        Resolved        Open\n    2     opportunities to provide additional\n          clarification. On July 28, 2006, DSC issued a\n          Regional Directors Memorandum entitled,\n          Revised Bank Secrecy Act/Anti-Money\n          Laundering Examination Manual, which\n          provides guidance on the review of a financial\n          institution\xe2\x80\x99s risk assessment and audit. In\n          addition, on December 9, 2005, DSC issued a\n          Regional Directors Memorandum entitled,\n          Formal and Informal Actions Procedures\n          Manual, which provides guidance on\n          administrative procedures for formal and\n          informal corrective actions.\n          DSC agreed with the intent of this               December 1, 2006           $0        Resolved       Closed\n    3     recommendation. On December 1, 2006,\n          DSC issued examination guidance addressing\n          the presentation of the scope of examination\n          work and conclusions on OFAC compliance\n          in reports of examination.\n\n                                                                  24\n\x0c                                                                                                                                                APPENDIX IV\n\n                                                                                                                                       Open\n     Rec.             Corrective Action: Taken or                           Expected                 Monetary       Resolved:a          or\n     No.                      Planned/Status                            Completion Date              Benefits       Yes or No         Closedb\n              DSC agreed with the intent of this                       September 30, 2007              $0            Resolved          Open\n       4      recommendation. As stated in response to\n              recommendation 1, DSC has implemented a\n              centralized system to track violations of\n              OFAC sanctions and institutions with\n              compliance program deficiencies. In addition,\n              DSC will review existing guidance and, as\n              necessary, issue revised guidance or\n              reminders to examiners.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                   management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                                 25\n\x0c"